Payment cards such as credit cards and debit cards are very widely used for all forms of financial transaction. The use of payment cards has evolved significantly with technological developments over recent years. Many payments are made at a retail location, typically with a physical transaction card interacting with a point of sale (POS) terminal to perform a transaction. These transaction cards may interact with a POS by swiping through a magnetic stripe reader, or for a “chip card” or “smart card” by direct contact with a smart card reader (under standard ISO/IEC 7816) or by contactless interaction through local short range wireless communication (under standard ISO/IEC 14443).
In Europe, contactless cards generally operate under the EMV standard for interoperation of chip cards and associated apparatus provided and maintained by EMVCo. In other areas such as the USA, contactless cards exist, but operate under a different set of protocols. In the USA, a “contactless mag-stripe” protocol is used which utilises aspects of the existing protocol used in reading of a transaction card magnetic stripe by a card reader, but modified to avoid replay attack risks by inclusion of dynamic data. This contactless mag-stripe protocol is described in more detail in the EMV Contactless Specifications for Payment Systems, available from https://www.emvco.com/specifications.aspx?id=21.
It is increasingly desirable for consumers to obtain and manage electronic receipts for card transactions. When making a payment at a point of sale (POS) terminal, it would be desirable for this to take place directly without an additional intervention (such as the capture of a customer e-mail address by the merchant) and in such a way that the customer could easily match payment data and receipt data. As payment data and receipt data are typically handled by different systems, a logical mechanism to achieve this is to find a transaction identifier that will allow data from the two systems to be matched to determine when each is referring to the same transaction.
This is particularly problematic where a transaction does not contain a single reliable identifier that will remain intact throughout any system using data from that transaction. Contactless mag stripe transactions do contain information suitable for use as a reliable identifier, but this information does not necessarily remain intact through all systems using the data from the transaction. This is because in a contactless mag stripe transaction, the best identifying data comprises the two dynamically modified contactless mag stripe tracks, Track 1 and Track 2. For example, in a MasterCard PayPass implementation, Track 1 and Track 2 are modified in the course of a transaction with an Unpredictable Number (UN) provided by the contactless reader and with a payment application's transaction counter and a dynamic cryptogram. The Track 1 and Track 2 data, as modified by the contactless reader, are each capable of providing a transaction identifier for a transaction, but will not be reliably passed through the payment infrastructure associated with the transaction. This is because when seeking authorisation for the transaction, the POS terminal will pass on at least one of Track 1 and Track 2, but may not pass on both because of messaging space constraints.
It is desirable in systems like this to find a way of maintaining the integrity of data through identifying transactions so that they can be reconciled even if it is not possible to identify specific transaction-identifying data that will be maintained reliably throughout systems handling transaction data.